@@ -14,10 +14,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
1414import LdapInjectionCustomizations:: LdapInjection
1515
1616/**
17+ * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
18+ *
1719 * A taint-tracking configuration for detecting LDAP injection vulnerabilities
1820 * via the distinguished name (DN) parameter of an LDAP search.
1921 */
20- class DnConfiguration extends TaintTracking:: Configuration {
22+ deprecated class DnConfiguration extends TaintTracking:: Configuration {
2123 DnConfiguration ( ) { this = "LdapDnInjection" }
2224
2325 override predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
@@ -31,11 +33,24 @@ class DnConfiguration extends TaintTracking::Configuration {
3133 }
3234}
3335
36+ private module LdapInjectionDnConfig implements DataFlow:: ConfigSig {
37+ predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
38+
39+ predicate isSink ( DataFlow:: Node sink ) { sink instanceof DnSink }
40+
41+ predicate isBarrier ( DataFlow:: Node node ) { node instanceof DnSanitizer }
42+ }
43+
44+ /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
45+ module LdapInjectionDnFlow = TaintTracking:: Global< LdapInjectionDnConfig > ;
46+
3447/**
48+ * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
49+ *
3550 * A taint-tracking configuration for detecting LDAP injection vulnerabilities
3651 * via the filter parameter of an LDAP search.
3752 */
38- class FilterConfiguration extends TaintTracking:: Configuration {
53+ deprecated class FilterConfiguration extends TaintTracking:: Configuration {
3954 FilterConfiguration ( ) { this = "LdapFilterInjection" }
4055
4156 override predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
@@ -48,3 +63,19 @@ class FilterConfiguration extends TaintTracking::Configuration {
4863 guard instanceof FilterSanitizerGuard
4964 }
5065}
66+
67+ private module LdapInjectionFilterConfig implements DataFlow:: ConfigSig {
68+ predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
69+
70+ predicate isSink ( DataFlow:: Node sink ) { sink instanceof FilterSink }
71+
72+ predicate isBarrier ( DataFlow:: Node node ) { node instanceof FilterSanitizer }
73+ }
74+
75+ /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
76+ module LdapInjectionFilterFlow = TaintTracking:: Global< LdapInjectionFilterConfig > ;
77+
78+ /** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
79+ module LdapInjectionFlow =
80+ DataFlow:: MergePathGraph< LdapInjectionDnFlow:: PathNode , LdapInjectionFilterFlow:: PathNode ,
81+ LdapInjectionDnFlow:: PathGraph , LdapInjectionFilterFlow:: PathGraph > ;
0 commit comments